CVE-2026-43187

EPSS 0.06%
Veröffentlicht 06.05.2026 11:27:57
Zuletzt bearbeitet 11.05.2026 20:38:50
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

xfs: delete attr leaf freemap entries when empty

In the Linux kernel, the following vulnerability has been resolved:

xfs: delete attr leaf freemap entries when empty

Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size
underflow"), Brian Foster observed that it's possible for a small
freemap at the end of the end of the xattr entries array to experience
a size underflow when subtracting the space consumed by an expansion of
the entries array.  There are only three freemap entries, which means
that it is not a complete index of all free space in the leaf block.

This code can leave behind a zero-length freemap entry with a nonzero
base.  Subsequent setxattr operations can increase the base up to the
point that it overlaps with another freemap entry.  This isn't in and of
itself a problem because the code in _leaf_add that finds free space
ignores any freemap entry with zero size.

However, there's another bug in the freemap update code in _leaf_add,
which is that it fails to update a freemap entry that begins midway
through the xattr entry that was just appended to the array.  That can
result in the freemap containing two entries with the same base but
different sizes (0 for the "pushed-up" entry, nonzero for the entry
that's actually tracking free space).  A subsequent _leaf_add can then
allocate xattr namevalue entries on top of the entries array, leading to
data loss.  But fixing that is for later.

For now, eliminate the possibility of confusion by zeroing out the base
of any freemap entry that has zero size.  Because the freemap is not
intended to be a complete index of free space, a subsequent failure to
find any free space for a new xattr will trigger block compaction, which
regenerates the freemap.

It looks like this bug has been in the codebase for quite a long time.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

NVD 12 VulnDex Vulnerability Enrichment 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.12.1 < 5.10.252

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.202

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.165

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.128

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.75

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.16

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.6

Linux ≫ Linux Kernel Version2.6.12 Update-

Linux ≫ Linux Kernel Version2.6.12 Updaterc2

Linux ≫ Linux Kernel Version2.6.12 Updaterc3

Linux ≫ Linux Kernel Version2.6.12 Updaterc4

Linux ≫ Linux Kernel Version2.6.12 Updaterc5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.184

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-191 Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

https://git.kernel.org/stable/c/f3c0d1fc1eadbb4adbee5ab7757d41d35f48325b

Patch

https://git.kernel.org/stable/c/aa9083d97e2157da3c6fb45ddb1a97af7f188f7f

Patch

https://git.kernel.org/stable/c/a631899025d47ea1aa6464d76db5b4d3b6d196fd

Patch

https://git.kernel.org/stable/c/ffaf5c99d0f862db021fb1af8b813c1416b1beb2

Patch

https://git.kernel.org/stable/c/e1b8c6452ee99a30e188a88f3f3f804fb1c6004a

Patch

https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399

Patch